>> Now, about 4.7. Note that the page for only lists individual names,
>> does
>> not list any company affiliations or employers at all. An odd
>> change/omission?
>
> could there be a simpler explanation?
Certainly. Maybe some intern generating the stats page was too lazy to
summarize it by company. Maybe they stopped tracking company affiliation.
Maybe it's just an oversight.
Given the state of computer/network/software security these days and the
NSA's reputation, I thought it was worth pointing out. :)
>> Xen is a much bigger and faster-moving target than I ever expected for a
>> hypervisor.
>
> indeed, same here.
Wiki on Microkernels is consistent with my understanding:
> In terms of the source code size, as a general rule microkernels tend to
be smaller than monolithic kernels, usually sizing at under 10,000 lines
of code.
Xen's Wiki page states:
> Xen Project is a hypervisor using a microkernel design
It's a bit disingenuous to call Xen a Microkernel, at 150,000+ lines of code.
I hope to dig through the sources a bit tonight, and see how much of that
is truly the core kernel/security bits, and how much of that is qemu
drivers and stuff. Maybe there is a lean, well-reviewed core that we can
all trust, with a lot of supporting drivers and such. Although the fact
that those acknowledgement pages are careful to point out "Microkernel
core" vs. auxiliary stuff.
>> Is it possible to have a secure environment, where you don't fully trust
>> the hardware/software?
>
> no, especially assuming s#fully## ;-p
Not with existing hardware/software/operating systems, but can we get
there? Is there even a path forward? :)
Sadly, there doesn't seem to be any viable Xen alternatives. (I guess one
could always create alternatives from forks of Xen or the various other
hypervisors/kernels out there; although securing/improving/auditing Xen is
probably less work.)
>> And unless you've designed the hardware and
>> software yourself (or they're both open and heavily and transparently
>> reviewed), and your never let either out of your sight and protection,
>> how
>> can you ever fully trust hardware/software?
>
> you can't.
>
> and yeah, that's sad. luckily the real world is mostly not *that* black
> and white.
True, security isn't an on/off binary thing, it's more of a probability to
be combined with your risk profile. Qubes certainly increases your odds
at having some security by a fair bit.
Probably minor in comparison to all the holes, bugs, bad design choices,
and vulnerabilities in PC hardware (and software bugs/backdoors), but
every little bit helps.
> long story short: I'd argue that *noone* should fully trust computers.
> however, this doesn't make them completly useless ;-)
Very good point. I've overly-trusted computers, and have been hacked so
badly in the past few years that computers have basically become useless
to me. But I'm also a pretty low-valued target, lol, so I'm trying to
rebuild my confidence in my setup for work (and personal) sanity and
dignity.
It's awfully hard not to rely upon computers on a daily basis for work,
personal, communications, media purposes.
Stumbled across this, rather interesting:
https://en.wikipedia.org/wiki/Exokernel
JJ